With less than half a year to go before the EU’s General Data Regulation Policy (GDPR) falls, executives are under increasing pressure to think about the implications for their businesses, and what physical changes will have to be made as a result.
Staff information will be a particularly key concern, and will constitute a real danger for employers if they are to comply with the Regulations when they come into play on May 28th 2018.
The rights of the data subject
Data subjects (holders of personal data living in the EU) will have more rights under GDPR, and penalties for infringement of these new rights will be severe. As guidance, these rights will be:
- The right to data portability, meaning employees will be able to obtain and redirect the use of their personal data across various services in certain situations.
- The right to know how employers will use personal data. Employers must be transparent on this point.
- The right to prevent the handling or processing of personal data.
- The right to access this data and to have it amended if it is incorrect or inaccurate.
- The right for personal data to be forgotten or deleted in certain situations.
Evidenced due diligence
Adhering to these new measures will have to be buoyed by a new culture of accountability, that will require businesses to evidence each step of the consent process.
Robust compliancy will begin at staff training, because only correctly trained staff will be allowed, under GDPR, to handle data of data subjects. Organisations will also have to appoint a data protection officer (DPO).
Thorough internal data audits will be needed to purge storage silos of non-compliant or old data, while reviews of internal HR policies in parallel will be the start of a GDPR-ready procedural overhaul.
Transparency will have to be maintained throughout and assumed consent will not be valid. Rather, data subjects will have to actively opt-in to consent, having read a clearly understandable and obviously presented explanation of the reasons of data usage. No longer will consent be hidden at the bottom of reams of terms and conditions.
For businesses with more than 250 employees, more detailed records of processing activities must be kept. Bosses should note that this will require more expenditure on administration, and will put further pressure on HR departments, procedures and staff.
What’s at stake?
GDPR is not a tick-box exercise, but more of an ongoing journey that will see progressive compliance develop in line with a culture of respect for data privacy, data subject consent and organisational transparency.
If employers discover that they have committed a data breach, data protection regulation officers will need to be notified within 72 hours, and then the organisation at fault will have to show that the error will not put data subjects’ rights and freedoms at risk.
In most severe data breach cases, organisations could be liable to pay up to 20 million Euros, or up to 4% of annual worldwide turnover, whichever is greater.
What to remember
Employers must note that the way that data is processed is about to fundamentally change. While maximum fines will only be imposed as a last resort, organisations should still be making all investigations possible into how to prepare adequately for this landmark legislation from the EU.
This must begin at a review of data protection policies and practices as they stand, followed by a redistribution of resources in anticipation of new burdens imposed by compliance.
Data flows must be reviewed, as well as how employee data is processed and where it is stored. As only properly qualified members of staff will be permitted to handle data under GDPR, employers should look into compliance training as we progress through the early stages of 2018. A Data Protection Officer may be required in your organisation to oversee compliance.
By Stephen White, Features Editor, GDPR Report
GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/
comments powered by Disqus